Fwd: [Dailydave] Understanding BIOS & SMM

coderman coderman at gmail.com
Tue Jan 28 15:25:18 PST 2014


---------- Forwarded message ----------
From: Xeno Kovah <xsk.dailydave at gmail.com>
Date: Sun, Jan 26, 2014 at 7:45 AM
Subject: [Dailydave] Understanding BIOS & SMM


Our research team at MITRE has been looking into BIOS security for the
past couple years and starting to publish our results in the last
year. We described BIOS exploits and an in-BIOS defensive system
called BIOS Chronomancy at venues like BlackHat and ACM CCS. We also
released a free tool called Copernicus[1] which lets you detect if a
BIOS is writable, and dump the contents of the BIOS from a Windows
system (which makes enterprise-wide configuration and integrity
checking possible.)

But the question is, let's say you have a BIOS dump and it shows
differences. How are you going to interpret those differences? How do
you distinguish natural changes from malicious ones? We wanted to get
a basic inspection capability out there, but we recognized that people
were going to need to know a lot more about system internals, hardware
quirks, and UEFI before they'd be able to make full use of it. So we
made a class to help bootstrap people faster. Currently the class is
scheduled for CanSecWest[2] and Syscan[3] (and the prices are going up
starting Feb 1).

It would be nice if people wanted to understand how the deep system
architecture worked for it's own sake, because we of course think it's
super interesting and fulfilling to know things others don't. But
hopefully the news of the past couple months has made people realize
that "out of sight, out of mind" isn't a great strategy for BIOS
security. First there was #badBIOS (which was kicked off by Dragos
experimenting with Copernicus[4]). Then there was NSA's defensive side
saying they had caught the Chinese making BIOS bricking attacks[5].
Then there was NSA's offensive side being caught having their own BIOS
backdoor capabilities[6]. And of course there were a whole lot of
people letting their FUD flags fly around all of it.

So if you'd like to get a more technical and quantitative view of what
the BIOS/SMM security landscape looks like, you should check out our
classes and watch for talks by Corey Kallenberg, John Butterworth, and
myself over the next 6 months where we'll be describing 2 new BIOS
memory-corruption-to-reflash exploits, 2 new SecureBoot-breaking
tricks, and trustworthy computing extensions to Copernicus that will
counter many classes of attacks against BIOS dumping software that
would let an attacker hide his BIOS presence.

Xeno

[1]http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about
[2]https://cansecwest.com/dojo.html
[3]http://syscan.org/index.php/sg/training
[4]https://plus.google.com/103470457057356043365/posts/exuXRz5C3L3
[5]http://www.cbsnews.com/news/nsa-speaks-out-on-snowden-spying/
[6]http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html



More information about the cypherpunks mailing list